Samba authentication against Novell eDirectory
Henrik Nordstrom
hno at squid-cache.org
Sat Feb 5 23:07:25 GMT 2005
On Sat, 5 Feb 2005, schmieder, holger wrote:
> So far so good. The Problem is, that samba is authentication against the
> attribute sambaLMPassword. I can set that password with smbldap-passwd, but
> so i have two different passwords stored in NDS.
Welcome to the world of secure authentication ;-)
> I like now to use the original NDS-password and disable the
> sambaLMPassword-attribute. I've played arround with pam an some settings
> in smb.conf but samba only accepts this one attribute.
Problem is that Samba and NDS both stores the password one-way hashed, and
needs different hash formats. If you also want the directory to support
Digest authentication then yet another password hash format is required.
There is basically only two options here to make a directory work with
multiple authentication schemes
a) Make several password attributes in the directory and make sure the
tools chaning the user password changes all of the attributes.
b) Have the directory store plain text passwords.
Approach 'a' is more secure, but requires the directory to support (at
least to the level of password hashing) all the authentication models
used.
Approach 'b' is simpler and allows easy migration to new authentication
models without forcing all users to change their password, but has obvious
security drawbacks.
Regards
Henrik
More information about the samba-technical
mailing list